Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Through Obsolescence

Posted by Hemos on from the security-through-elderly dept.

dlur writes "This article and this article (both variations of the same article written by roblimo) delve past security through obscurity, into using old, out of date software to secure a site. Maybe it's not always in your best interest to snag the latest kernel? Perhaps think twice before jumping at the chance to buy MS's latest OS."

7 of 263 comments (clear)

  1. Just Obscurity, not Security by crow · · Score: 5, Insightful

    This is simply a variation on security through obscurity. Make sure the operating system and software it runs are so old that current hacking tools won't work on it. Sure, that will stop a bunch of script kiddies. It's just like running MacOS will make you immune to most viruses.

    Without the script kiddies, you still have to worry about serious crack attempts. By using antique software, it is probably relatively easy to do some research and find security vulnerabilities.

  2. Just introducing new problems by jerrytcow · · Score: 4, Insightful

    At least with current software when a hole is found it will get patched - more quickly for some companies than others. What happens when a major flaw is found with older OSes/apps? Do you really think MS will bother to write a patch for win95 or Apple for mac os 7.1? You will not only have a security problem, but to fix it you'll have to upgrade or migrate to a new platform.

  3. Nice points but... by garett_spencley · · Score: 5, Insightful

    I still wouldn't rely on this for really critical security implementations.

    The main problem is that most vendors stop supporting old products. This creates a huge security threat. Just because no one knows about security holes don't mean they exist.

    Sure you've eliminated probably 99% of all script kiddie threats and if that's the only threat you can identify then by all means this is a cute idea. However, as security administrator at my company I do my best to secure against any and all threats which means I must presume that old versions of Solaris (for example) have gaping security holes that were never fixed and therefore running the leatest and greatest with all applied security patches and a rock hard configuration is my best bet when it comes to security.

    Roblimo's friend does have a point, though regarding Macs. Old Mac's are really the most secure systems out there. Simply because they can't really do much. They weren't designed to be networked and so there aren't any services to exploit ;^)

    --
    Garett

  4. No it's not by ChanxOT5 · · Score: 3, Insightful

    It's Security through time.
    They've got the argument all wrong - it's not more secure because it's obscure - it's more secure because older software has been around longer, and the kiddies have already found the obvious bugs and they've been patched.

    Would you run a 2.5 kernel on a computer where you worried about security? I'd hope not.

    1. Re:No it's not by scott1853 · · Score: 5, Insightful

      I had an argument with a customer a few months ago. He was running Win 95 and had to keep rebooting his machine everytime he wanted to get on the internet and he said it was our fault for providing such crappy internet service. I told him that's normal, Windows 95 is unstable. His response was that it's been out for 7 years so they must have fixed everything that was wrong with it by now.

      You may want to rephrase that statement and maybe say "because older linux kernels have been around longer"

  5. Security through obscurity by gregbaker · · Score: 3, Insightful

    This is a good example of security through obscurity, particularly the MacOS example in the article. Obscurity is no basis for a security model, but a little obscurity thrown in on top of some real security can't hurt.

    For example, a tech I know runs a MySQL server that shouldn't be exposed to the outside world. It's behind a firewall and the port is blocked, fine. It's also run on a non-standard port. Why? Because if somebody cracks the main network, they still have some work to do to get to find the MySQL server. That's time to discover the intrusion and fix the leak.

    Summary: Security through obscurity: bad. Security + obscurity: good.

  6. Security through Maturity by thepoolguy · · Score: 3, Insightful

    Security through obsolescence may be a bit of a misnomer. When I take an older OS release and apply all of the relevant patches, I know that the patch OS is considerably more mature that a newer version. Espicially a new major release with a newer or different components which have not been extensibly tested.

    This is not to say that OS and software companies do not try to thoroughly test their software. They do. But even in the largest, most sophisticated test lab, one cannot recreate all of the possible conditions that will be revealed when the software is released into the real world.

    The reasons older (obsolete) software may be more secure are really two fold. Older software, due to creaping featurism which haunts all software development activities adds features, which adds chances for security holes and errors. I assert the increased features, and espicially increased interfaces (user, programmatic and otherwise) increases the likelyness of security issues. The second issue with older (obsolete) software is that it is more mature. Please understand this carefully- older software that has been patched ot the current patch level will be more secure than software that has not been patched.

    I think equating obsolete software with security is quite a stretch. I do agree with the thought that mature software will have fewer security issues. Added to this the fewer interfaces on older software gives it a greater chance to be free from security issues.

    -tpg.